That probably depends on the banking application and how the bank allows you to recover a lost PIN. I would normally say "you should enable PIN or fingerprint authentication", but in fact you might not be required to. PIN/fingerprint is breakfast for security-aware individuals.
Let's analyse the few information you provided. That you are enabled to pay by QR
and that you would like, as myself does, to manage all payments via smartphone.
I will not disclose the name of my bank, but will describe what major banks in Europe normally do. You did not describe how your bank works in the first place
Authentication at banking application level
Assuming you don't have fingerprints enabled, and/or if your bank app doesn't (yet) support that, most banks will, despite the great security APIs of Android, issue you a yet-another
new PIN code that is valid only for themselves. It can be equal to your phone's PIN if they allow you to choose.
Since you have to reauthenticate at the banking application ever time you do something, from checking your balance to making a payment, they will be safe. Even if you lose your phone and who finds it has access to Whatsapp and all your emails, they will likely have no immediate access to your banking account. I will be writing a huge footnote.
That is the only security measure you can have, but depends on your bank. Note: we could write an entire book for this paragraph, including OTPs and PSD2 (European Payment Service Directive 2) but those will go beyond the scope of the question, which is about the security measures the OP can take.
Geolocation
A lot of banks require customers to disclose GPS location when doing anything. I am a bit skeptic about anti fraud systems, but at least on paper this works: they already know the location of stores where QR codes are exposed. Once you issue a QR payment, you are supposed to be at the place. QRs can still be sent over Whatsapp, printed and photo-copied for remote payments.
Root checking
Another things banks normally do is to limit or block functionality to rooted devices that do not pass SafetyNet
hardware/software attestation.
Disclosure: I am Groot. I will never unroot. But I have to admit that they block root for a reason. Perhaps most of them because OWASP requires that.
In this case, payments with QR codes can be theoretically violated by a malicious root app that forces camera API to read a bogus static image with a QR code owned by attacker. Notice the emphasis on theoretically.
Footnote: recovering credentials on unlocked phone
This all depends on the bank. Losing an unlocked phone with access to email and messaging is dangerous per se, but might or might not be enough to steal money to you. I have already talked about banks requiring you a separate PIN/authentication to issue transactions.
But when you leave unrestricted access to your emails, danger is close. Let's put it extremely simply simple. If your bank allows you to recover a forgotten access code by simple means of SMS recovery and/or email confirmation, you are required to put additional security measures on your phone. A number of banks will at least require you to be physically at the branch before asking you for email/SMS confirmation. If your bank falls in this category, you still might have chances to live without PIN and fingerprints.
Summarizing
Most depends on the security model of your bank. It is trivial to require everyone to use a strong authentication to the phone, but as I have illustrated while banks do enforce their own security in banking applications, odds are that, according to the practices of your bank, you could have a big hole open in your security by leaving the phone unlocked.